Friday, August 18, 2006

Over and Over

Some great clarification to some confusion that some folks have about two-factor authentication from Michael Farnum:

In regards to the HIPAA security rule, it has been stated that §164.312(2)(i) only requires that each individual be given a unique username and password. This is not entirely true. §164.312(c)(2) states that the covered entity should "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed". Single-factor authentication, even a username and password combination, is considered to be inadequate by many security professionals to verify identity of an individual. In case of legality, the Federal Financial Institutions Examinations Counsel ("FFIEC") has recently concluded "single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions". Though this does not apply specifically to HIPAA, it does give a strong indication as to where all federal regulations are headed.

Simply said, requiring an easily remembered PIN number in addition to the RFID card adds virtually no complication or time to the login process, yet the security benefits are very high. It protects your patient data (your most valuable asset) and secures your network, and it would be a favorable layer of security in case of a HIPAA audit.

Thanks Michael!

No comments: